Description
This article describes a potential root cause for a communication problem through a FortiGate diagnosed with the debug flow message "Denied by end point ip filter check".
Assume the following scenario :
[10.160.0.10 ] ------------ port2 [ DUT FGT ] port1 ------- [192.168.183.254]
The Fortigate has got proper Firewall policies from port2 to port1.
Problem : a ping from 10.160.0.10 does not reach any device behind port1.
Example : ping 192.168.183.254
Taking a debug flow shows the following :
FGT# diag debug enable
FGT# diag debug flow show console enable
FGT# diag debug flow filter add 10.160.0.10
FGT# diag debug flow trace start 1000
Solution
This problem, and the associated debug flow message, can be due to the fact that the IP address10.160.0.10 has been 'quarantined' by DLP* because of the quarantine settings in the protection profile.
DLP: Data Leak Prevention
To verify this, from the GUI go under USER>>MONITOR>>BANNED>>BANNED USERS.
This is what will appear :
This article describes a potential root cause for a communication problem through a FortiGate diagnosed with the debug flow message "Denied by end point ip filter check".
Assume the following scenario :
[10.160.0.10 ] ------------ port2 [ DUT FGT ] port1 ------- [192.168.183.254]
The Fortigate has got proper Firewall policies from port2 to port1.
Problem : a ping from 10.160.0.10 does not reach any device behind port1.
Example : ping 192.168.183.254
Taking a debug flow shows the following :
FGT# diag debug enable
FGT# diag debug flow show console enable
FGT# diag debug flow filter add 10.160.0.10
FGT# diag debug flow trace start 1000
| id=20085 trace_id=3522 msg="vd-root received a packet(proto=1, 10.160.0.10:512->192.168.183.254:8) from port2." id=20085 trace_id=3522 msg="allocate a new session-000e8ce9" id=20085 trace_id=3522 msg="find a route: gw-192.168.183.254 via port1" id=20085 trace_id=3522 msg="find SNAT: IP-192.168.182.110, port-53412" id=20085 trace_id=3522 msg="Denied by end point ip filter check" or DNS blocked traffic : id=20085 trace_id=3696 msg="vd-root received a packet(proto=17, 10.160.0.10:1025->d.n.s.q:53) from port2." id=20085 trace_id=3696 msg="allocate a new session-000e8f20" id=20085 trace_id=3696 msg="find a route: gw-192.168.183.254 via port1" id=20085 trace_id=3696 msg="find SNAT: IP-192.168.182.110, port-29861" id=20085 trace_id=3696 msg="Denied by end point ip filter check" |
Solution
This problem, and the associated debug flow message, can be due to the fact that the IP address10.160.0.10 has been 'quarantined' by DLP* because of the quarantine settings in the protection profile.
DLP: Data Leak Prevention
To verify this, from the GUI go under USER>>MONITOR>>BANNED>>BANNED USERS.
This is what will appear :
Note : To clear this situation click on the trash icon.
This will also be reflected in the Fortigate event log (if log has been enabled) as shown below :
More information on DLP feature is available in FortiGate Administration Guide.
This will also be reflected in the Fortigate event log (if log has been enabled) as shown below :
More information on DLP feature is available in FortiGate Administration Guide.
Related Articles
